Published:
06 Jan 2002
|
Abstract
This article will look at security in your ASP.NET applications and how to secure your applications using the web.config file. |
|
by . .
Feedback
|
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days):
22212/
37
|
|
|
Introduction |
Securing ASP.NET with
web.config
Published 01/06/02
Introduction
In
web.config we
looked at what web.config is and I told you that I would talk more about it in
other articles so here is one. This article will look at security in your
ASP.NET applications and how to secure your applications. See
Security in ASP.NET
for more information on security in ASP.NET.
|
The web.config file |
web.config
web.config does most of the work
for you as it tells the application the who, what, where, when and how to be
authenticated (it doesn't need to tell it why).
<configuration>
<system.web>
<authentication mode="mode">
</authentication>
</system.web>
</configuration> |
This is the beginnings of something bigger. The
<authentication> tags and what goes between is everything ASP.NET needs to
know to provide security. The 'mode' property is about how to authenticate,
the possible values are - Windows, Forms and Passport.
Note : <authentication> only works in
the root folder of the virtual directory's web.config, not subfolders.
|
Forms Authentication |
Forms
Forms security works so that you don't have to
create new Windows accounts to let people in. I won't go over how it works
(see Security in ASP.NET). Here is the configuration -
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="Auth" loginURL="login.aspx" protection="All" timeout="10"
/>
</authentication></system.web>
</configuration> |
When you are authenticated you are given a
cookie called 'Auth'. The place where you login is called login.aspx. The
protection is by default - All, this gives the cookie validation (to make sure
it hasn't been tampered) and encryption (using Triple-DES or DES), you can
modify this with different properties (All, None, Encryption, Validation).
Next the timeout sets when the user's login will time-out (the default in 30)
in minutes.
Before we continue lets set up our login.aspx
file -
<script language="VB"
runat="server" />
Sub btn_click(sender as object, e as eventargs)
'You may want a database connection or something here
'To provide authentication from a database
If uname.Text = "philipq" And pword.text = "password" Then
FormsAuthentication.SetAuthCookie(uname.text, true)
Response.Redirect("seethis.aspx")
Else
lblmsg.Text = "Invalid username or password"
End If
End Sub
</script> |
I'll leave you to put the server controls in.
All this does is check the values of the two
textboxes (uname and pword) and if they're fine it sets
Formsauthentication.SetAuthCookie() to validate the user. the SetAuthCookie
method takes two parameters - the username of the authorized user and weather
or not to keep the cookie after the user closes the browser. The
FormsAuthentication provides many other useful methods.
So far we have given simple authentication for
users and the data is automatically encrypted. The cookie is also encrypted
like this -
aucookie
E605AB187FED02216B161C9EDC5F64B4F51ECA418DE3E1FE11EAFFD108D4B05F9949B4490C692615443A01F8ABA0E7E1CEA2F1C9B9D8EB067198C954A3EE85E6
localhost/
1024
3450704256
33137864
3627820272
29464168
*
You can clearly see the name of the cookie and the server it got it from.
|
Username & Password Storage |
U/P Storage
There is another way to get username and
password data rather than from a database or what we did before. By using the
<credentials> tag we can provide usernames and passwords for users.
<credentials
passwordFormat="Clear">
<user name="philipq" password="password" />
</credentials> |
This goes within the <authenticate> tags and
you can just add more users and needed. The passwordFormat can be Clear, MD5
or SHA1 which is the format that the passwords are encrypted in.
You then have to modify your login.aspx code
like this -
<script language="VB"
runat="server" />
Sub btn_click(sender as object, e as eventargs)
If FormsAuthentication.Authenticate(uname.text, pword.text) Then
FormsAuthentication.SetAuthCookie(uname.text, true)
Response.Redirect("seethis.aspx")
Else
lblmsg.Text = "Invalid username or password"
End If
End Sub
</script> |
The Authenticate method takes in the username
and password and returns true or false.
|
Summary |
Summary
There is a lot more to security than just this.
You can also have role based security, path based security and more with other
tags as well as the <authorize> tag. But I can't include it all here there is
plenty of information in the .NET Framework SDK as well as other sites out
there on security using <authenticate> and <authorize>. For more information
on security in ASP.NET see
Security in ASP.NET.
|
|
|
User Comments
Title:
great
Name:
jhon
Date:
2004-09-09 3:51:04 AM
Comment:
this is great!!!!!
|
Title:
great
Name:
great
Date:
2004-09-09 3:50:17 AM
Comment:
this is great!!!!!!11
|
|
Product Spotlight
|
|